Centrify Regional Director APAC Matt Ramsay has warned that the changes risk the cost and compliance challenges of the Sarbanes-Oxley (SOX) legislation in the US. “While SOX has raised the compliance bar for corporate reporting, it has had the unintended impact of creating a lot of uncertainty because of its lack of precision.”
“SOX compliance costs and complexity have run out of control in the US during the past decade. The SOX legislation is prescriptive without being descriptive: It tells you to jump, but not how high. As a result, US corporations need to jump a very high bar indeed to avoid the threat of non-compliance.”
Taking effect from March, the Privacy Amendment (Enhancing Privacy Protection) Act 2012 implements a new set of harmonised privacy principles to regulate the handling of personal information by both Australian businesses and government agencies.
“From March, Australian organisations will face the same challenge from the new privacy legislation – the requirement to ‘take reasonable steps’ to demonstrate compliance without a clear understanding of exactly what is required. Penalties range from $340,000 for an individual to $1.7 million for an agency, in addition to reputational brand damage that may result from such an investigation.”
Ramsay said both public and private sector organisations should take special note of key changes to the law and act now to prepare for these changes. “From my review, it is clear that three key principles from this new privacy protection legislation are particularly relevant to IT Security.
“For example, APP 1 requires open and transparent management of personal information. Entities ‘must’ take “reasonable” steps to implement practices, procedures and systems relating to the privacy code.
“What makes this smell a little ‘SOXish’ is the imprecision of the term ‘reasonable steps’ to control such broad area as data access and control, which are essential aspects of information security and cooperation between IT, legal, risk and executive management without any specific guidance as to which internal controls must be assessed.”
According to Ramsay, the compliance challenges posed by the new act were exacerbated by two major technology trends - cloud services and mobility.
“Highly-connected pocket-sized devices coupled with Cloud-enabled enterprise applications make private details potentially more accessible and more vulnerable than at any time in our history.
“For organisations to successfully comply with this new legislative environment, they need to ask not only ‘what private information should we protect?’ but ‘who has access and how should we protect it?”
To comply with the new Australian Privacy Principles without onerous costs and complexity, Ramsay said organisations needed to precisely manage individual identities by embracing approaches such as Single Sign On (SSO) authentication and least privilege access controls “SSO provides a real-time corporate roadmap of an organisation’s APP compliance.
“SSO can also free your staff from needing to remember usernames and passwords and greatly simplify de-provisioning Cloud apps by tying all logons back to a single identity store such as Microsoft Active Directory,” Ramsay concluded.